0

In my Java web application I have to set the JSESSIONID cookie to secure.

With Servlet 3.0 it's easily done in web.xml. My Problem is, I have to stick with Servlet 2.5.

I already tried to edit the created cookie with following code:

for (int i = 0; i < cookies.length; i++) { if (cookies[i].getName().equals("JSESSIONID")) { cookies[i].setSecure(true); response.addCookie(cookies[i]); } }

but the only result I get back is a new cookie called JSESSIONID which is secured and the old JSESSIONID cookie stays unchanged.

Is there another way to edit the generated JSESSIONID cookie secure flag to true or is it impossible?

Thanks in advance for your help.

FunnyTilly
  • 1
  • 1
  • 1
    Is this helpful? http://stackoverflow.com/q/16398327 – BalusC Apr 06 '16 at 18:58
  • Thank you for your response. I added the classes mentioned in this answer, but unfortunately the cookie doesn't change, it stays not secured. – FunnyTilly Apr 07 '16 at 07:14
  • It's helpful if you elaborate what step of manipulating the cookie exactly failed. – BalusC Apr 07 '16 at 07:16
  • It was happening in my case as well. You are getting a default cookie-jsession id. But once we first time touch the session by using httpServletRequest.getSession(). It creates a new session id. Which is set into the cookie as a seperate jsession id. You just need to use the httpServletRequest.getSession().getId() to set inside the cookie value. Please refer link as suggested by @BalusC :https://stackoverflow.com/questions/16398327/set-httponly-and-secure-flags-on-session-cookie-in-google-app-engine – A_01 Oct 18 '18 at 09:08
  • Possible duplicate of [set httpOnly and secure flags on session cookie in Google App Engine](https://stackoverflow.com/questions/16398327/set-httponly-and-secure-flags-on-session-cookie-in-google-app-engine) – A_01 Oct 18 '18 at 09:09

0 Answers0